Cyberyoddha Data Store 2 write-up

Eddie Mora
Nov 2, 2020


Hello guys, this is Eddie_Mora from CRISIS Team, In this article, I will give a write up about a Web challenge I solved when playing Cyberyoddha CTF

The CTF was for newbies so all challenges were so easy but I will explain one about SQL injection!

The Challenge was named “Data Store 2” with 225 points!

The objective was to bypass this login panel, so the first thing to do us to check the source page but nothing interesting…

Then let's analyse the behaviours of the log-in function with Burpsuit Tool

So basically when using random credentials it gives “Ivalide Cred, please try again”

So let's check for SQLI, we will Test the inputs one by one to see if there any change on the error given!

So when checking for the first parameter [username=tst0'&password=tst1]
nothing happened! but when I tested on the second one I got this :

Interesting, It shows a different error which is good!

And due to the non-existence of any logical error than can help us to craft our Payload, I will use a common one tst’ OR 1=1 — ‘

After using the payload I succeded to login and I got redirected to a page called /secret

I saw no flag here so I followed the redirection on the browser and Bingo!